DET0361: Detecting .NET COM Registration Abuse via Regsvcs/Regasm
DET0361 is a detection strategy for abuse of the trusted Windows utilities Regsvcs and Regasm, which can register .NET COM assemblies and may be used to pr...
Analyst context for executives and security teams
DET0361 is a detection strategy for abuse of the trusted Windows utilities Regsvcs and Regasm, which can register .NET COM assemblies and may be used to proxy code execution. The business issue is not the tools themselves—they are legitimate—but whether the organization can distinguish normal administrative or developer use from suspicious use of Microsoft-signed binaries that may bypass application-control expectations.
Executive priority
Prioritize this as a control-validation item for Windows environments where application control, signed-binary trust, or COM/.NET administration is part of the security model. Leaders should ask whether SOC telemetry can show when Regsvcs or Regasm are executed, by whom, from where, and with what surrounding activity. This supports incident triage, audit evidence for endpoint monitoring, and resilience against stealthy execution paths that may otherwise look like normal Windows utility usage.
Technical view
The supplied ATT&CK object has no official description or detection text, but its relationship states that it detects T1218.009, Regsvcs/Regasm, a Windows technique associated with stealth. SOC and detection teams should validate monitoring around execution of Regsvcs and Regasm, especially command-line context, parent/child process relationships, file paths of referenced assemblies, user context, and nearby COM/.NET registration activity. Treat legitimate administrator, developer, build, and software deployment activity as expected false-positive sources that require baselining.
Likely telemetry
- Windows process creation events for Regsvcs and Regasm
- Command-line arguments and executable path metadata
- Parent and child process relationships
- User/account context and logon/session context
- File metadata for referenced .NET assemblies where available
Detection direction
- Confirm that endpoint telemetry records Regsvcs and Regasm execution with full command-line detail; process names alone are usually insufficient for triage.
- Baseline known administrative, developer, build-system, and software-installation use to reduce noise.
- Look for unusual execution context, such as unexpected parent processes, non-standard user accounts, atypical working directories, or references to assemblies from user-writable or temporary locations.
- Correlate execution with COM registration changes, new files, or follow-on processes rather than relying on a single event.
- Validate whether application-control policies treat these Microsoft-signed utilities as implicitly trusted and whether monitoring compensates for that blind spot.
Mitigation priorities
- Inventory legitimate business use of Regsvcs and Regasm before enforcing restrictive controls.
- Ensure endpoint logging and EDR collection are enabled for Windows process creation, command lines, and relevant registry/COM activity.
- Review application-control and allowlisting policy decisions for trusted Windows utilities that can proxy execution.
- Limit administrative privileges and software deployment rights to reduce opportunities for unauthorized registration activity.
- Use detection tuning and response playbooks to separate approved .NET/COM administration from suspicious signed-binary proxy execution.
Analyst notes and limits
This take is based on DET0361 and its relationship to ATT&CK technique T1218.009, Regsvcs/Regasm. The related technique describes abuse of Microsoft-signed Windows command-line utilities used to register .NET COM assemblies and potentially proxy execution. The value for defenders is validating whether signed-binary execution paths are visible and explainable in local telemetry.
The supplied DET0361 object does not include official description, detection logic, platforms, tactics, or analytic details. Recommendations are therefore conservative and derived from the relationship to T1218.009 and the provided related technique description. Local baselines are required to distinguish legitimate administration or development activity from suspicious behavior.
Detecting .NET COM Registration Abuse via Regsvcs/Regasm
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1218.009 | Regsvcs/Regasm Sub-technique | This object detects Regsvcs/Regasm. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | f31c16e5dc3c… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0361Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.